Fixed #26614 -- Used constant_time_compare() in checking session auth hash in login().

2016-05-13 18:26:10 -04:00 · 2016-05-13 18:26:10 -04:00 · 094ea69e07
parent 104727030c
commit 094ea69e07
1 changed files with 1 additions and 1 deletions
--- a/django/contrib/auth/init.py
+++ b/django/contrib/auth/init.py
@ -100,7 +100,7 @@ def login(request, user, backend=None):
    if SESSION_KEY in request.session:
        if _get_user_session_key(request) != user.pk or (
                session_auth_hash and
-                request.session.get(HASH_SESSION_KEY) != session_auth_hash):
+                not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash)):
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.